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Certificate ::= S 
tbsCertif icate 
signatureAlgorithm 
signature 



CE { 



TBSCertif icate, 
Algor i t hmldent i f i er , 
BIT STRING } 



TBSCertif icate : : 
version 
serialNutnber 
signature 
issuer 
validity 
subject 

subj ect PublicKeyInf o 
issuerUniquelD [1] 
subjectUniquelD [2] 
extensions [3] 



SEQUENCE { 

[0] Version DEFAULT vl, 

Certif icateSerialNumber, 
Algorithmldentif ier. 
Name, 
Validity, 
Name, 

Subj ec t Publ icKey Inf o , 
IMPLICIT Uniqueldentif ier OPTIONAL, 
IMPLICIT Uniqueldentif ier OPTIONAL, 
Extensions OPTIONAL } 



Version : := INTEGER { vl(0) , v2(l), v3(2) } 
Certif icateSerialNumber INTEGER 



Validity ::= SEQUENCE { 
notBef ore 
notAf ter 

Time : := CHOICE { 
utcTime 
generalTime 



Time, 
Time } 



UTCTime , 

GeneralizedTime } 



Uniqueldentif ier BIT STRING 

SubjectPiablicKeylnfo ::= SEQUENCE { 

algorithm Algorithmldentif ier , 

subjectPublicKey BIT STRING } 



Extensions 



:= SEQUENCE SIZE (1..MAX) OF Extension 



Extension ::= SEQUENCE { 
extnID 
critical 
extnValue 



OBJECT IDENTIFIER, 
BOOLEAN DEFAULT FALSE, 
OCTET STRING } 
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IMPLICIT lASString, 
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IdProof : : = SEQUENCE { 
secret 
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OCTET STRING, 
OBJECT IDENTIFIER } 



Figure 6 



5/9 

AUS9-2000-0255-US1 



User 
Public Key 
704 



User 
Private Key 
706 



X.509 Certificate 
722 



User Public Key 
(Signed) 
724 



HostldMapping 
(Encrypted for Host) 
726 




Request for Certificate 
712 



User 
Public Key 
704 



HostldMapping 
(Encrypted for CA) 
714 



X.509 Certificate 
722 



User Public Key 
(Signed) 
724 



HostldMapping 
(Encrypted for Host) 
726 



Host 
System 
700 



Host 




Host 


Public 




Private 


Key 




Key 


728 




730 









i 



Authentication Data 
732 

Identity 
Password 



ertifying Authority 
716 



CA 
Public Key 
718 



CA 
Private Key 
720 



Network Directory 
710 



Host 
X.509 Certificate 
708 



Legacy 
Application 
734 



Figure 7 



6/9 

AUS9-2000-0255-US1 




Client system generates/obtains 
client public/private key pair 
802 



V 



Client obtains public key of certifying authority (CA) 
804 



Client encrypts host identity mapping information using CA 
public key 
806 



Client generates certificate request containing client public key 
and encrypted host identity mapping information 
808 



Client sends certificate request to certifying authority 
810 



Client receives and stores X.509 certificate containing signed client public key and host 
identity mapping infomiation that was encrypted using public key of host system 

812 




Figure 8A 



7/9 

AUS9-2000-0255-US1 



'00 17:14 FR IBM BETHESDP 



301 803 2874 TO 86783516 



P. 02 



Begin ^ 



Certifying authority (CA) receives client certificate request containing client pubiic key 
and encrypted host Identity mapping information 
820 



V 



Certifying authority (CA) verifies identity of requesting client 

822 




Certifying authority obtains host public key 
826 



Certifying authority decrypts encrypted host identity mapping 
information using CA private key 
826 



I 

Certif^ng authority encrypts host identity niapplng Information 
using host public key 
830 



Certifying auttiority generates client certificate containing 
signed client public key and encrypted host identity mapping Information 

832 



Certif^ng authority sends certificate to client 
634 



8/9 

AUS9-200a-0255-US1 



TOTAL PAGE. 02 



Figure 8B 




Client presents X.509 certificate containing 
encrypted host identity mapping information to host system 

840 



Host system verifies client certificate 
842 



f 

Host system decrypts encrypted host identity mapping 
infonmation using host private key 
844 



t 

Host system obtains host identity of certificate holder and associated secret 
information (e.g., password) from host identity mapping information 

846 



J 

Host system uses host identity and associated secret information for 
authentication of client (certificate holder) on another system or application 

848 



t 

Client uses services on system or application on which client 
has been authenticated 
850 




Figure 8C 



9/9 

AUS9-2000-0255-US1 



